Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS40, EAP-TLS against Windows AD

We deployed ACS 4.0 (NOT ACS SE) and WLAN in our corporate network.

Our ultimate goal is to have each staff authenticated against our AD via ACS using EAP-TLS.

We managed to get PEAP working successfully, but failed with EAP-TLS.

From the log we noticed that when PEAP is used, ACS forward username to AD in domain-qualified format (domain\user),and authentication is successful.

When EAP-TLS is used, ACS forward username to AD in UPN format (user@domain), and auth.log received "External DB [NTAuthenDLL.dll]: cannot get user account controler for user@domain

External DB [NTAuthenDLL.dll]: user user@domain was not found

Unknown user 'user@doamin' was not authenticated" . Any workaround for this?

Can anyone throw some light here?

Thank you.

Lahki

3 REPLIES

Re: ACS40, EAP-TLS against Windows AD

Lahki,

Please see this link,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAuth.html#wp326018

To permit user access to the network or computer authenticating with EAP-TLS, ACS must verify that the claimed identity (presented in the EAP Identity response) corresponds to the certificate that the user presents. ACS can accomplish this verification in three ways:

•Certificate SAN Comparison-Based on the name in the Subject Alternative Name field in the user certificate.

•Certificate CN Comparison-Based on the name in the Subject Common Name field in the user certificate.

•Certificate Binary Comparison-Based on a binary comparison between the user certificate in the user object in the LDAP server or Active Directory and the certificate that the user presents during EAP-TLS authentication. This comparison method cannot be used to authenticate users who are in an ODBC external user database (ACS for Windows only).

Regards,

~JG

New Member

Re: ACS40, EAP-TLS against Windows AD

JG,

Thanks the response.

We are using Certificate SAN Comparison, and the SAN field in the user certificate matches the user account in AD.

Is there anyone in here who used EAP-TLS with ACS against external Windows database and succeeded? Please throw some light in here. Many thanks in advance.

New Member

Re: ACS40, EAP-TLS against Windows AD

Hi JG,

We managed to get both PEAP and EAP-TLS working with ACS authenticating against windows AD.

http://www.cisco.com/en/US/ts/fn/200/fn20228.html

Regards

Lahki

206
Views
0
Helpful
3
Replies